28 February 2018
Support our work: become a Friend of Statewatch from as little as £1/€1 per month.
The "reflection process" on data retention: working documents discussed by Council published
Follow us: | | Tweet
The documents provide an insight into some of the issues that have been discussed by Member States' representatives and EU agencies, who since March 2017 have participated in a sub-group of the Council's Working Party on Information Exchange and Data Protection (DAPIX) to "facilitate a common reflection process at EU level on data retention in light of the recent judgments of the Court of Justice of the European Union."
The documents include overviews of the legal framework for telecommunications data retention in the Member States, a presentation from Europol on the possibility of introducing a new measure on "targeted data retention", and proposals for using the forthcoming e-Privacy Regulation to make possible some form of data retention.
Mandatory retention of telecommunications metadata was required in every EU Member State by the 2006 Data Retention Directive, which was annulled by the Court of Justice of the EU (CJEU) in April 2014 in the Digital Rights Ireland judgment, which declared the surveillance measure to be "an interference with the fundamental rights of practically the entire European population" that could not be justified given its broad scope and lack of safeguards.
A further CJEU judgment, Tele2/Watson, was handed down in December 2016 and said that imposing on telecommuniations providers a general and indiscriminate obligation to retain data was prohibited.
This has proved something of a headache for officials, as a number of Member States' legislation implementing the Directive was subsequently annulled - although the majority of Member States still have a data retention regime in place. The aim of the "reflection process" is to try to establish a way to reintroduce an EU-wide data retention measure.
It can be observed that the use of working documents does not serve the interests of transparency, as they are not automatically listed in the Council's register of documents and will likely only become available to the public through dedicated requests or leaks.
A recent recommendation from the European Ombudsman noted that the way working documents are currently dealt with by the Council "hinders citizens from easily finding out, in good time, that such documents exist," and that it is "cumbersome for the general public to access information on negotiations in preparatory bodies."
Statewatch requested access to all minutes/"outcome of proceedings" produced by the Council working group 'DAPIX (Friends of Presidency) - Data retention' and all working papers/non-papers/other documentation submitted to that working group.
Some documents were released in full, others were released in censored form while others could not be released at all, argued the Council's transparency department (pdf). However, a number of the documents in the latter two categories have already been published by Statewatch (see the end of this report for links).
Working documents produced and discussed during the Council's "reflection process" on data retention
1. Europol Study on the data retention regime applying in the EU Member States (WK 3570/2017 INIT, LIMITE, 4 April 2017, pdf):
"Delegations will find attached in the Annex a Study on the data retention regime applying in the EU Member States carried out by Europol, on the initiative of its Data Protection Office. The project was initiated in light of the Judgment of the Court of Justice of the EU of 8 April 2014 Digital rights invalidating the Directive 2006/24/EC."
2. European Judicial Cybercrime Network (EJCN) on the effects of the CJEU judgement (WK 3596/2017 INIT, LIMITE, 4 April 2017, pdf):
"Delegations will find attached a questionnaire addressed to the European Judicial Cybercrime Network (EJCN) on the effects of the CJEU judgement of 21 December 2016 on data retention on Member States and judicial cooperation."
Responses to the questionnaire can be found in document 10098/17 (pdf), published previously by Statewatch.
3. Data Retention - State of play in the Member States (WK 5206/17, LIMITE, 8 May 2017, pdf):
"Delegations will find in the Annex a table outlining the status of legislation in the MSs, as noted to date. Delegations are invited to verify this information and to inform the Presidency on any changes or corrections, as well as on relevant court cases that could be noted in this context."
Updated versions were subsequently produced: REV 1 and REV 2 (pdfs)
4. A submission from Europol that has been censored: Data categories to be retained for law enforcement purposes (WK 5380/2017 INIT, LIMITE, 11 May 2017, pdf):
"this document outlines scenarios that require different data categories to be retained for law enforcement (LE) purposes in the context of an investigation with the ultimate aim of attribution of criminal activity to an individual perpetrator."
A section on "use cases" has been deleted in its entirety. The conclusion argues that: "different levels of threshold might apply to different categories of data depending on the level of interference into personal rights of the suspects, victims, and possibly non-involved others."
5. Not a working document, but not previously published: Note from the Presidency: Targeted data retention - Exchange of views(9558/17, LIMITE, 23 May 2017, pdf):
"The Presidency would like to invite an exchange of views on the concept of targeted retention of traffic and location data, as set out by the Court in the Tele2 judgement focusing in particular on each of the four criteria listed by the Court, while taking into account that they are closely intertwined."
6. Censored document from the Council Presidency: Ensuring the availability of data for the purposes of prevention and prosecution of crime = Presentation of options and exchange of views (WK 9380/17 INIT, LIMITE, 12 September 2017, pdf):
"The mind map in attachment summarises the main options and related elements identified thus far for ensuring the availability of communication data that could be eventually used for the purposes of prevention and prosecution of crime. The mind map is based on written contributions by delegations and expert exchanges throughout the discussions on that matter. It is not exhaustive and is intended to be a living document."
The "mind map" has been removed from the public version of the document.
7. Europol: Proportionate data retention for law enforcement purposes (WK 9957/2017 INIT, LIMITE, 21 September 2017, pdf):
The document contains a presentation from an official in Europol's data protection unit which suggests how the EU could legislate for new mandatory data retention requirements whilst remaining in line with the requirements of the Court of Justice of the EU, as set out in cases such as Digital Rights Ireland and Tele2/Watson. It argues for what it refers to as "targeted data retention", concluding that:
Similar arguments have been offered by the EU Counter-Terrorism Coordinator:EU Counter-Terrorism Coordinator: "additional data retention obligations are necessary" (Statewatch News Online, 27 November 2017)
8. Censored document from the Presidency: Availability of data and issues related to data retention - elements relevant in the context of e-Privacy = Exchange of views (WK 11127/2017 INIT, LIMITE, 10 October 2017, pdf)
"Based on the discussions in the DAPIX-FoP, the Presidency is of the opinion that the e-Privacy Regulation is not the instrument to lay down criteria for law enforcement access. The issue of the availability and retention of the data is, however, linked to the e-Privacy Regulation. As the e-Privacy Regulation will apply to all processing of electronic communications metadata, data availability, resulting from the processing activities of providers could currently fall under the rules of e-Privacy."
Pages 4, 5 and 6 of the document are deleted in their entirety.
Documentation previously published by Statewatch
11.12.17: Data retention and the ePrivacy Regulation: Member State positions revealed (11 December 2017)
8.12.17: Document contained in: Justice and Home Affairs Council, 7-8 December 2017: Conclusions and background documentation (8 December 2017)
1.12.17: NOTE from: Presidency to: Council: Data retention: Retention of electronic communication data = Policy debate (14480/1/17 REV 1, LIMITE, 1 December 2017, pdf)
27.11.17: EU Counter-Terrorism Coordinator: "additional data retention obligations are necessary" (27 November 2017)
20.11.17: Member State data retention regimes - what's changed? The answer is very little so far (20 November 2017)
30.10.17: NOTE from: Presidency to: Delegations: Retention of communication data for the purpose of prevention and prosecution of crime - specific elements in light of the ECJ case-law = exchange of views (13845/17, LIMITE, 30 October 2017, pdf)
12.7.17: NOTE from: Presidency to: Delegations: Processing and storage of data in the context of the draft ePrivacy Regulation = Introduction and preliminary exchange of views (11107/17, LIMITE, 12 July 2017, pdf)
31.5.17: NOTE from: Presidency to: Permanent Representatives Committee/Council: Common reflection process on data retention = Progress report (9802/17, LIMITE, 31 May 2017, pdf)
4.5.17: NOTE from: Presidency: Access criteria for competent authorities to retained communication data - Exchange of views (8798/17, LIMITE, 4 May 2017, pdf)
5.4.17: NOTE from: Presidency to: Delegations: Reflection process on data retention issues - Issues to be discussed (7597/17, LIMITE, 5 April 2017, pdf)
7.3.17: NOTE from: General Secretariat of the Council: Retention of electronic communications data (6726/1/17 REV 1, LIMITE, 7 March 2017, pf)
1.3.17: NOTE from: Presidency to: CATS: Retention of electronic communication data - next steps (6713/17, LIMITE, 1 March 2017, pdf)
20.1.17: More "going dark" problems: Europol wants data retention to ease identification of individual internet users(20 January 2017)
Search our database for more articles and information or subscribe to our mailing list for regular updates from Statewatch News Online.
Spotted an error? If you've spotted a problem with this page, just click once to let us know.
Statewatch does not have a corporate view, nor does it seek to create one, the views expressed are those of the author. Statewatch is not responsible for the content of external websites and inclusion of a link does not constitute an endorsement. Registered UK charity number: 1154784. Registered UK company number: 08480724. Registered company name: The Libertarian Research & Education Trust. Registered office: MayDay Rooms, 88 Fleet Street, London EC4Y 1DH. © Statewatch ISSN 1756-851X. Personal usage as private individuals "fair dealing" is allowed. We also welcome links to material on our site. Usage by those working for organisations is allowed only if the organisation holds an appropriate licence from the relevant reprographic rights organisation (eg: Copyright Licensing Agency in the UK) with such usage being subject to the terms and conditions of that licence and to local copyright law.